Equifax (EFX - Get Report) has agreed to pay at least $575 million, and potentially up to $700 million, to settle privacy claims stemming from a 2017 breach that left Social Security numbers and other data for almost 150 million people open on the internet, the Federal Trade Commission said Monday.
The deal would settle claims by the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories. The FTC charged that Equifax failed to secure the personal information stored on its network, leading to the breach that left victims open to identity theft and fraud.
As part of the settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services and compensate those who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach. Equifax will add up to $125 million to the fund if the initial payment isn't enough to compensate consumers. Starting in January, Equifax will provide all U.S. consumers with six free credit reports each year for seven years in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.
The company also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.
The hack forced big changes at the credit bureau company, leading to the resignation of its long-serving CEO, and prompting intense scrutiny from lawmakers.
Shares of Equifax climbed 1.3% to $139.09